RSA SecureID

RSA SecurID, sometimes referred to as SecurID, is a two-factor, public-key encryption authentication technology that is used to protect network resources. Developed by RSA Data Security, SecureID is built around the difficulty of factoring very large numbers. Because of this design, the algorithm uses prime factorization as a foolproof method of stopping brute force attacks. Solving the encryption takes a massive amount of time and processing power, thus deterring direct attacks on the security system. It is the standard encryption method for important data, especially when the information is being sent over the internet.

This authentication system is built around two main protections—a password or pin drive known by the user (something known), and (typically) a USB, smart card, or fob, otherwise called hardware tokens (something you have with you). These two points of authentication, or then used in conjunction with RSA’s Authentication Manager Software, which verifies the authentication requests.

When a user accesses a protected resource like a financial tracking database, or a bank’s back-end interface, he or she is asked for their passcode. The passcode is based on both the PIN provided by the SecurID system upon setup and the code that is generated for that login by the user's authenticator token. In this example, the user clicks on their RSA SecurID device, which generates a session specific code. Then, both of these codes are received by the RSA Authentication Agent and translated to the RSA Authentication Manager software, which then checks and approves the codes. The RSA SecurID system computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.

Unlike many other security services, SecureID uses hardware authentication. This provides a level of protection from software-based cyber-attacks. The following is a comparison of SecurID versus other common security services.

While RSA SecurID tokens can protect against password replay attacks by generating unique passwords for each session, they are do not provide any functionality to protect against man in the middle attacks.

• If the attacker manages to block the authorized user from authenticating to the server until the next token code will be valid, he/she will be able to log in to the server. SecurID authentication server tries to prevent password sniffing and simultaneous login by declining both authentication requests, if two valid credentials are presented within a given time frame. In this type of attack, the security can be assisted with an additional authentication mechanism, such as SSL.
• If the attacker removes from the user the ability to authenticate their token, the SecurID server will assume that it is the user who is actually authenticating and hence will allow the attacker's authentication through.
• Social engineering attacks via phishing can also be used to assist in breaking RSA SecurID security. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of web security technologies. It is usually carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website look almost identical to the legitimate one.
• In case the attacker manages to get the credentials entered by user in plain text, it can be quickly used by an attacker as the legitimate user before the token expires (within a minute typically).
• Hard tokens can be physically stolen (or acquired via social engineering) from end users. The small form factor makes hard token theft much more viable than laptop/desktop scanning.

The simplest vulnerability with any and all password containers is losing the special key device or the activated smart phone with integrated functionality. This vulnerability cannot be solved with any single token container device during the hard-locked time of available access using the stolen or lost key. A user will typically wait more than one day before reporting the device as missing, giving the attacker plenty of time to breach the unprotected system. This could only occur, however, if the users User ID and PIN are also known.

In the client-server era, compliance was the main reason why organizations adopted security solutions like two-factor authentication, as they needed to fulfill regulations for protecting financial, healthcare, customer cardholder data, etc. But nowadays, security and risk management are the main reasons companies want to implement two-factor authentication. Data breaches are real and affecting millions of users, and have real consequences on a large scale. While only a few applications needed to be protected, today’s security environment requires access to dozens to hundreds of applications to be secured.

A two-factor solution needs to be scalable so it can be deployed across all apps and employees with sensitive information distributed horizontally among users with all levels of power and access. As the number of applications and users increase, and as cybercrime expands, shorter deployment times will be needed to provide safety.

In 2011, attackers breached RSA and stole the internal seeds used by RSA to verify its hardware devices, and used the information to attack Lockheed Martin, an RSA customer, amongst other unnamed defense contractors. These internal seeds comprise a secret key hard-coded into the token itself, and are the digital equivalent of a padlock combination. This vulnerability showcased the vulnerabilities of any high-cost hardware system.

Barracuda makes it easy to use SecureID keep your website and web applications protected from unauthorized access. The Barracuda Web Application Firewall includes Security and Information Management (SEIM) integration with the two major identity-management and multi-factor authentication systems—SecureID and CA SiteMinder. Contact Barracuda to learn more about RSA SecureID or to get a free trial of any Barracuda product.